This is the official writeup of the challenge room, The Great Cyber Detective on TryHackMe.
- Rook link: tryhackme.com/jr/thegreatcyberdetective
Task 1 – Introduction
The Global Security Agency’s (GSA) cyber surveillance team recently detected suspicious activity over encrypted communication channels. The activity is related to a specific Redis database server located in South Korea, which has come to our attention due to unexpected traffic patterns and suspicious script execution.
GSA suspects that this is not a simple cyberattack, but may be part of a larger organized covert activity. Specifically, they have information that this Redis server is being used as a critical communication hub between clandestine networks. This communication is hidden in normal data flows, and it is possible that members of these networks are using it to conduct significant coordination and planning.
Your mission
As GSA’s cyber detective extraordinaire, you have been tasked with getting to the bottom of this covert activity and uncovering their cryptic messages. This mission will go beyond simple technical analysis and will be instrumental in uncovering the true nature of this illegal and organized activity.
In order to understand the nature of this threat, uncover the source and purpose of the cyberattack, and submit a report to GSA, you will use and apply Criminal IP, a cyber threat intelligence search engine, and penetration testing techniques, and document your findings in three sequential tasks.
| Questions | Answers | Hint |
|---|---|---|
| 1. Ready for the adventure? | Yes | – |
| 2. Equip yourself with the cutting-edge tool befitting the finest cyber detective by signing up for a free membership plan on the Criminal IP search engine. Is the engine ready? | Yes | Go to https://www.criminalip.io/register |
| 3. Which search on Criminal IP will you use to dig into the server of this organized group? | Asset Search | Go to https://www.youtube.com/watch?v=fjm2uNnWjkM Asset Search – Asset Search is a search feature that provides the risk level of an IP address in 5 stages and comprehensive information including Domain, Open Ports, vulnerabilities, WHOIS information, and screenshots associated with that IP address. Domain Search – Domain Search is a search feature that provides information about URLs. By scanning a URL, you can check in real-time whether a site is a phishing site or contains malware, as well as the connected IP addresses, subdomains, network logs, and technologies that were used. Exploit Search – Exploit Search is a search feature that maps exploitable vulnerabilities based on searches for CVE IDs, vulnerability types, platforms, and more in real-time. Image Search – Image Search is a search feature that provides image information on devices, websites, and corporate or personal information that are exposed to the Internet. |
Task 2 – The information transmitted
As your first task, you should familiarize yourself with the syntax needed to create the filters and queries you’ll use in your Criminal IP banner search. This will help you identify the keywords and conditions you need to use to identify specific information.
These skills are important when looking for truly unknown vulnerable systems, and can help you understand if a particular cyberattack is centered on a particular software version or region.
Server identification
Make sure the at-risk server is identified within your network. The server’s IP address should be obtained, providing a root for further analysis. This information is important for later tracing the path of the attack and understanding its connections within the larger network.
- Finding the IP address is essential for tracing the path of the attack and determining the server’s network location. Participants use this information to understand the security posture of the network the server is part of, and other potential routes an attacker might use.
Network mapping and server identification skills are an important first step in cyber defense and lay the foundation for future security enhancements.
- You can see the operational and performance status of your servers, information about memory usage, and the persistence and reliability of data. This information is important for assessing your server’s current health and operational efficiency, as well as potential performance issues or opportunities for optimization. This can help you decide what actions to take, such as capacity planning, performance optimization, and security hardening for your server.
Check the country and version that a suspicious Redis server is using!
| Questions | Answers | Hint |
|---|---|---|
| 1. What filter query did you use to find servers using Redis? | product: redis | Go to https://www.criminalip.io/developer/filters-and-tags/filters |
| 2. Add a filter query to locate Korea-based servers. | product: redis country:KR | – |
| 3. Add a query to find servers using version 7.0.12 of Redis. | product: redis country:KR product_version: 7.0.12 | – |
| 4. Did you identify the server hosted on Microsoft that contains 5 key values? | Yes | – |
Task 3 – Profiling
Congratulations, you’ve found a server that contains five key values!
Now you need to find the suspicious encryption script! For your second mission, you’ll need to look at the detailed results page of the Criminal IP Asset Search to understand the threat intelligence information associated with the server.
Analyzing the IP Score
- The Inbound Score is used to assess the risk of incoming traffic and is an important criterion for determining the trustworthiness of a particular IP address. This score can be utilized in decisions to allow or block access to your system, with a high score indicating that the IP address is risky or may be accessing through a VPN. The Outbound score, on the other hand, indicates the risk of access to an external server, which is used to decide whether to interact with the server. An Outbound score of ‘Critical’ means that the server is likely to be associated with a vulnerability.”
Port analysis
Once you know your server’s IP address, it’s time to investigate which services are exposed to potential attacks. By identifying all open ports, analyzing the services they provide and their vulnerabilities, you can identify potential attack vectors available to an attacker.
- Identifying open ports is critical to understanding the attack surface of a server. It allows participants to assess which services are exposed to the outside world and which could be potential entry points.
Port scanning and service enumeration are essential in the information gathering phase, which provides critical data for vulnerability discovery and penetration testing.
Exploring the vulnerability
Once you’ve found a vulnerable port on your Redis server, it’s time to investigate the vulnerability in detail. This will help you determine how the attacker got in, what vulnerability they exploited, and you’ll need to find and record the CVE ID assigned to the vulnerability.
- Identifying vulnerabilities in specific software and finding CVE IDs is key to the vulnerability management process. Participants can use this information to assess the severity of the vulnerability and take appropriate remediation actions.
This step helps participants utilize the vulnerability database and develop a deeper understanding of vulnerabilities.
| Questions | Answers | Hint |
|---|---|---|
| 1. What is the Outbound threat scoring (%) for this server? | 20 | Hover over the IP address, then click on Asset Search. Check the Report for the IP address for server profiling. |
| 2. List the first three Vulnerability CVE IDs written in the profiling report in order. | CVE-2023-45145 CVE-2023-41053 CVE-2022-3647 | – |
| 3. What is the vulnerable port number for this server? | 6379 | – |
Task 4 – Profiling
It’s time to put your crypto script analysis skills to work!
You’ve discovered an encrypted script that exhibits unusual patterns inside a database. The script was surreptitiously planted on a suspicious-looking Redis server and was likely used to exchange encrypted messages between attackers. Deciphering this script is a key to understanding how the attackers’ network operates and their communication code.
Analyze the encryption script to find out what information it hides!
| Questions | Answers | Hint |
|---|---|---|
| 1. What is the essence of the primary activity performed by the encrypted script found on the Redis server? Please provide a clear answer. | Drug | Enter only one keyword. |
| 2. What is the website address mentioned in the script? | hxxp://stealth.minerpro.hack:4256 | – |
| 3. What tool is used in the encryption script? | Wallet address | – |
Task 5 – The great detective with a great tool
Beyond your analytical capacities, you completed the mission, playing a crucial role in unveiling this illicit organized activity!
You utilized Criminal IP, an IP address-based Cyber Threat Intelligence search engine, as the main tool in profiling. It involves compiling evidential security information that minimizes the risk of cyber threats impacting business decision-making processes. Just as fingerprints left at a crime scene help identify criminals, anonymous cyberattacks such as fraudulent access, account theft, payment scams, money laundering, and credential stuffing can all be traced back to their biggest footprint – IP addresses.
Using Criminal IP lets you get a real-time view of how many of your IT assets, including DB servers, file servers, middleware servers, administrator servers, IoT systems, and malicious sites, are populating the network. It allows you to monitor potential attack vectors proactively and stay one step ahead of opportunistic malicious actors.
Criminal IP is a comprehensive solution aggregating vast amounts of OSINT (Open-Source Intelligence) through unique crawling technology. This data is then overlaid with AI and machine learning-based fraud detection algorithms, allowing network scanning at record speed. As a result, you can stay one step ahead of cyber threat actors, identifying and preventing attack points.
Criminal IP covers the latest issues and analyses through its editorial blog and various social media channels. Stay tuned for real-time updates and prevention guides by checking regularly!
- Blog: https://blog.criminalip.io/
- Twitter: twitter.com/CriminalIP_US
- YouTube: https://www.youtube.com/@criminalip1070
| Questions | Answers |
|---|---|
| 1. Have you visited the Criminal IP Blog? You can check for newly detected phishing sites and suspicious IP addresses every week, along with the latest analysis reports on cyber security issues and prevention guides. | Yes |